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Abstract. In this paper, we build upon the model of two-party quantum computation introduced by Salvail 
et al. [SSS09] and show that in this model, only trivial correct two-party quantum protocols are weakly self- 
composable. We do so by defining a protocol II calling any non-trivial sub-protocol ir N times and showing 
that there is a quantum honest-but-curious strategy that cannot be modeled by acting locally in every single 
copy of 7r. In order to achieve this, we assign a real value called payoff to any strategy for II and show that 
that there is a gap between the highest payoff achievable by coherent and local strategies. 

1 Introduction 

The most striking result in quantum cryptography is certainly the capacity to perform secret-key dis- 
tribution [BB84] securely by a universally composable quantum protocol [RK05,BHL + 05]. This is in 
sharp contrast with what is achievable using classical communication alone. A different class of crypto- 
graphic primitives, called two-party computation, is not as easy to solve using quantum communication. 
In fact, some two-party primitives are as impossible to achieve using quantum communication as they 
are based solely on clasical communication. In particular, well-known two-party primitives like oblivi- 
ous transfer [Lo97], bit commitment [May97,LC97], and fair coin-tossing [Kit03] have neither classical 
nor quantum secure implementations. However, there exists weaker primitives achievable by quantum 
protocols but impossible in the classical world. For instance, sharing an EPR pair allows for two play- 
ers to implement a noisy version of a two-party primitive called non-local box (NLB) 4 with noise rate 
sin 2 | [PR94,BLM + 05], which is a task impossible to achieve classically. Due to the local equivalence 
between randomized NLB and randomized one-out-of-two oblivious transfer (1-2-OT) 5 [WW05b], a 
noisy version of randomized 1-2-OT with noise rate sin 2 | can also be obtained from one shared EPR- 
pair while no such classical protocol exists. 

The cryptographic power of quantum protocols for two-party computations have been investigated 
in [SSS09]. Let Alice and Bob be the two parties involve in a two-party computation. In this model, 
a primitive is modelled by a joint probability distribution Px,y where Alice outputs x and Bob y with 
probability Pxy{x,y). Any two-party primitive can be randomized (the input to the functionality are 
picked at random) so that its functionality is captured by an appropriate choice of Px,y- We say that 
Px.y is trivial if it can be implemented by a correct classical protocol against honest-but-curious (HBC) 
adversaries. Intuitively, a quantum protocol for primitive Pxy is correct if once Alice and Bob get their 
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respective outputs with joint probability Px,y then nothing else is available to each party about the other 
party's output. Such a protocol can be purified and the measurements yielding the outcomes X and Y 
can be postponed to the end of the protocol's execution. The state of the protocol just before the final 
measurements take place, is then called quantum embedding of the implemented primitive. In addition, 
regular embedding of a primitive is defined to be an embedding where Alice and Bob do not posess any 
other (auxiliary) registers than the ones used to measure their respective outputs. In [SSS09], it is shown 
that although quantum protocols can implement correctly non-trivial functionalities they will always 
leak extra information even against the weak class of honest-but-curious quantum adversaries. While 
classical protocols can only implement trivial primitives, quantum protocols necessarily leak when they 
correctly implement something non-trivial. 

In this paper, we look at another aspect of two-party quantum protocols: their ability to compose 
against quantum honest-but-curious adversaries (QHBC). In order to guarantee composability, the func- 
tionality of a quantum protocol should be modeled by some classical ideal functionality. An ideal func- 
tionality is a classical description of what the protocol achieves independently of the environment in 
which it is executed. If a protocol does not admit such a description then it can clearly not be used in 
any environment while keeping its functionality, and such a protocol would not compose securely in all 
applications. In particular, in this thesis we investigate composability of non-trivial quantum protocols. 
An embedding of Px,y is called trivial if both parties can access at least the same amount of infor- 
mation about the functionality as it is possible in some classical protocol for Px,y in the HBC model. 
Otherwise, it is said to be non-trivial. A quantum protocol is non-trivial if its bipartite purification re- 
sults in a non-trivial embedding. We show that no non-trivial quantum protocol composes freely even if 
the adversary is restricted to be honest-but-curious. No ideal functionality, even with an uncountable set 
of rules, can fully characterize the behavior of a quantum protocol in all environments. This is clearly 
another severe limit to the cryptographic power of two-party quantum protocols. 

It is not too difficult to show that any trivial embedding can be implemented by a quantum protocol 
that composes against QHBC adversaries. In the other direction, let \i/j(tt)) G Ha ® be a non- 
trivial embedding of Px,y corresponding to the bipartite purification of quantum protocol it. We know 
that \ip{ir)) necessarily leaks information towards a QHBC adversary. Any ideal functionality I for 
protocol 7r trying to account for honest-but-curious behaviors should allow to simulate all measurements 
applied either in Ha or Hb through an appropriate call to ID^. One way to do this is to define ID^ 
by a function [0..1] x [0..1] i— > [0..1] x [0..1] where ID^O, 0) corresponds to the honest behavior on 
both sides: ID 7r (0, 0) = (x,y) with probability Px,Y(x,y) where (x, y) is encoded as a pair of real 
numbers. Other inputs to the ideal functionality allow for the simulation of different strategies mounted 
by the QHBC adversary. In its most general form, an ideal functionality could have an uncountable set 
of possible inputs in order to allow the simulation of all QHBC adversaries. We show that even allowing 
for these general ideal functionalities, composed non-trivial protocols cannot be modeled by one single 
ideal functionality. It means that for a protocol 77 calling N times any non-trivial sub-protocol it , there 
is a QHBC strategy that cannot be modeled by arbitrarily many calls of ID^, each of them acting locally 
on a single copy of it. 

In order to achieve this, we provide a generic example of such a protocol. Protocol il produces, as 
output, a real- value p that we call payoff. The payoff p represents how well the adversary can compare, 
without error, two factors of product states extracted from the N executions of protocol it. From a result 
of [KKB05], the product states are constructed in such a way that no individual measurement can do 
as well as the best coherent measurement. It follows that the payoff corresponding to any adversary 
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restricted to deal with ir through any ideal functionality would necessarily be lower than the one an 
adversary applying coherent strategies on both parts of the product state could get. This implies that no 
ideal functionality for tt would ever account for all QHBC strategies in II. Moreover, the advantage of 
coherent strategies over individual ones can be made constant. The result follows. 

2 Preliminaries 

Classical Information Theory - Dependent Part The following definition introduces a ran- 
dom variable describing the correlation between two random variables X and Y. 

Definition 2.1 (Dependent part [WW04]). For two random variables X,Y, let fx(x) ■= Py\x=x- 
Then the dependent part of X with respect to Y is defined as X \ Y := fx(X). 

The dependent part X \ Y is the minimum random variable from the random variables computable 
from X such that A"^A"\Y^Yisa Markov chain [WW04]. It means that for any random 
variable K = f{X) such that X <-> K <-> Y is a Markov chain, there exists a function g such that 
g(K) = X \ Y. Immediately from the definition we get several other properties of X \ Y [WW04]: 
H(Y\X \Y) = H(Y\X), I(X; Y) = I(X \ Y; Y), and X\Y = X\(Y\ X). The second 
and the third formula yield I(X; Y) = I(X \Y;Y \ X). 

The notion of dependent part has been further investigated in [FWW04,IMNW04,WW05a]. Wullschleger 
and Wolf have shown that quantities H(X \ Y\Y) and H(Y \ X\X) are monotones for two-party 
protocols [WW05 a]. That is, none of these values can increase during classical two-party protocols. In 
particular, if Alice and Bob start without sharing any non-trivial cryptographic resource then classical 
two-party protocols can only produce (X,Y) such that: H(X \ Y\Y) = H(Y \ X\X) = 0, since 
H(X \ Y\Y) > if and only if H(Y \ X\X) > [WW05a]. Conversely, any primitive satisfying 
H(X \ Y\Y) = H(Y \ X\X) = can be implemented securely in the honest-but-curious (HBC) 
model. We call such primitives trivial. 

Quantum Information Theory and State Distinguishability Let \tp) AB € Hab be an 
arbitrary pure state of the joint systems A and B. The states of these subsystems are pa = tr# IV'XV'I 
and ps = tiA IV'XV'I' respectively. We denote by S(A) := S(pa) and S(B) := S(pb) the von Neumann 
entropy (defined as the Shannon entropy of the eigenvalues of the density matrix) of subsystem A and B 
respectively. Since the joint system is in a pure state, it follows easily from the Schmidt decomposition 
that S(A) = S(B) (see e.g. [NC00]). Analogously to their classical counterparts, we can define quantum 
conditional entropy S(A\B) := S(AB) - S(B), and quantum mutual information S(A; B) := S(A) + 
S{B) - S{AB) = S(A) - S(A\B). Even though in general, S(A\B) can be negative, S(A\B) > is 
always true if A is a classical random variable. 

The following lemma gives a relation between the probability of error and the probability of conclu- 
sive answer of a POVM used for discriminating two pure state. 

Lemma 2.2 ([CB98]). Let the probability of a conclusive outcome and the error-probability of some 
POVM applied to a state, sampled uniformly at random from a pair of pure states (IV'o); IV'i))* be 
denoted by q c and q err , respectively. Then 
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Notice that for the marginal case where q CTT = we get that q c < 1 — | (ipo\ipi) | [Iva87,Die88,Per88], 
and for the marginal case where q c = 1 (no inconclusive answer is allowed) we get q cn > \ — 
v^d|B [Hd76] _ 

PURIFICATION All security questions we ask are with respect to (quantum) honest-but-curious adver- 
saries. In the classical honest-but-curious adversary model (HBC), the parties follow the instructions of 
a protocol but store all information available to them. Quantum honest-but-curious adversaries (QHBC), 
on the other hand, are allowed to behave in an arbitrary way that cannot be distinguished from their 
honest behavior by the other player. 

Almost all impossibility results in quantum cryptography rely upon a quantum honest-but-curious 
behavior of the adversary. This behavior consists in purifying all actions of the honest players. Purifying 
means that instead of invoking classical randomness from a random tape, for instance, the adversary 
relies upon quantum registers holding all random bits needed. The operations to be executed from the 
random outcome are then performed quantumly without fixing the random outcomes. For example, 
suppose a protocol instructs a party to pick with probability p state l^ ),^ and with probability 1 — p 
state l^ 1 )^ before sending it to the other party through the quantum channel C. The purified version 
of this instruction looks as follows: Prepare a quantum register in state y/p\0) R + y/\ — p\l) R holding 
the random process. Add a new register initially in state |0) c before applying the unitary transform 
U '■ l r )/j|0) c ► \ r ) R\4' r )c f° r r G 1} an d send register C through the quantum channel and keep 
register R. 

From the receiver's point of view, the purified behavior is indistinguishable from the one relying 
upon a classical source of randomness because in both cases, the state of register C is p = p\(j) ){(j) \ + 
(1 — All operations invoking classical randomness can be purified similarly[LC97,May97]. 

The result is that measurements are postponed as much as possible and only extract information required 
to run the protocol in the sense that only when both players need to know a random outcome, the 
corresponding quantum register holding the random coin will be measured. If both players purify their 
actions then the joint state at any point during the execution will remain in pure state, until the very last 
step of the protocol when the outcomes are measured. 

Correct Two-Party Quantum Protocols and Their Embeddings In this section we define 
when a protocol correctly implements a joint distribution Px,y which may correspond to some standard 
cryptographic task with uniformly random inputs. We call such a probability distribution primitive. As an 
example of a primitive, we can take e.g. Px,y such that for all x®, xi,y, c € {0, 1}, Px,y (xq, £i, c, y) = 
1/8 if and only if y = x c . Px,y then corresponds to a cryptographic task known as one-out-of-two 
oblivious transfer (1-2-OT), first introduced by Wiesner [Wie83]. It lets Alice send two bits (xo,x\) 
to Bob, of which he selects one (x c ) to receive. In the randomized version, we assume the inputs xq, 
X\, and c to be chosen uniformly at random. For standard cryptographic primitives such as 1-2-OT, the 
version with inputs can be securely implemented from the randomized version [WW05b]. It follows that 
for such primitives, considering the randomized version is without loss of generality. 

As a result of purification of a protocol implementing primitive Px,Y, up to the point when the final 
measurements take place, Alice and Bob obtain a shared pure state Without loss of generality, we 
may assume that the final measurements yielding the implemented probability distribution are in the 
standard (computational) basis. Besides the registers A and B needed to compute X and Y, the players 
could use auxiliary registers A' and B', yielding the final state kettp to be in TLaa' ®'Hbb', where Haa 1 
and Hbb' denote the subsystems controlled by Alice and Bob, respectively. Informally, we call an 
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embedding of Px,Y, if the extra working registers A' and B' do not provide any extra information to 
the honest players, measuring their respective registers A and B in the computational bases. By "extra 
information" we mean additional information about the other party's output, not available to a player 
from the ideal functionality for Px,y- A protocol whose purification produces an embedding of Px,y 
as the final state is then called correct protocol for Px,y- Formally, we define an embedding of and a 
correct protocol for a given primitive as follows: 

Definition 2.3 ([SSS09]). A protocol ir for Px,y is correct its final state satisfies S(X; YB') = 
S(XA';Y) = I(X;Y) where X and Y are Alice's and Bob's honest measurement outcomes in the 
computational basis and A 1 and B' denote the extra working registers of Alice and Bob. The state 
\ip) £ Ti-AB <8> Ti-A'B' is called an embedding of Px,y if it can be produced by the purification of a 
correct protocol for Px,Y- 

Correctness is a natural restriction imposed on two-party quantum protocols, since nothing can pre- 
vent honest players to perform any measurement they wish in the systems which are not needed to 
compute their desired outputs. In the following, we also use the notion of regular embedding which, as 
it turns out, simplifies the analysis of two-party quantum protocols. 

Definition 2.4 ([SSS09]). Regular embedding of Px,Y is an embedding where the auxiliary registers A' 
and B' are trivial. 

[SSS09] shows that any embedding of Px,y can be easily converted into its regular embedding by a 
measurement performed on either side. 

Lemma 2.5 ( [SSS09]). Let \^) aa'BB' ^ e an embedding of Px,Y- Then \ip) is locally equivalent to a 
state \ip*) in the form: 

W) = J2 x k\k,k) A , B ,\7p k ) AB , 

k 

where are all nonnegative real numbers and for each k, \ipk) is a regular embedding of ' Px,Y- 

It follows easily from the lemma above that Alice can convert \ip) into aproduct state \ipk) ab® \^) b' 
by a proper measurement in register A'. An analogous statement holds for Bob. 

Informally, an embedding aa'BB 1 °f Px,Y is called trivial, if it allows a dishonest player to 
access at least the same amount of information as he/she is allowed in some classical implementation of 
Px,y- Formally, we define trivial and non-trivial embeddings of a given primitive as follows: 

Definition 2.6 ([SSS09]). Let \iP)aa'BB> ^ e an embedding of Px,Y- We call \ip) a trivial embedding of 
Px,Y if it satisfies S(Y \ X\AA!) = or S(X \ Y\BB') = 0. Otherwise, we call it non-trivial. 

Notice that Px,y can be implemented by the following classical protocol: 

1. Bob samples x' = P y \x\y=x' fr° m the distribution Px\y an d sends it to Alice. He samples y 
from the distribution x' . 

2. Alice samples x from the distribution Px\x\y=x' ■ 

Clearly, in the case where S(X \ Y\BB') = 0, \ip) allows dishonest Bob and Alice to access at 
least as much information about the other party's outputs, as they can in the classical implementation 
above. 
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3 Non-Trivial Protocols and Composability 

In the following we show that quantum protocols even characterized only by the embeddings of the 
corresponding primitives (i.e. without considering whether or not that state can be distributed fairly) 
do not compose without allowing the adversary to mount joint attacks that cannot be simulated by 
attacks applied to individual copies. We are allowed to make this simplification because any attack of an 
embedding of a primitive can be modeled by an at least equally efficient (in terms of the amount of extra 
information accessible by a cheater) attack of the associated protocol. We define trivial protocols to be 
such that produce trivial embeddings. 

Definition 3.1. A correct protocol for a primitive Px,y is trivial, if the embedding produced by such a 
protocol is trivial. Otherwise, it is called non-trivial. 

In order to show non-composability of a non-trivial embedding \ip) G Haba' b of a primitive Px,y , 
satisfying t S^(X \ Y\BB') > and S^(Y \ X\AA') > 0, it is sufficient to show that no non- 
trivial regular embedding of Px,y can be composed, for the following reason: Lemma 2.5 shows that by 
measuring register A' of Alice converts into |^) for some k € {1, . . . , K}, which is a regular 
embedding of Px,y- ^ sne performs such a measurement on many copies of with high probability 
at least some constant fraction of them collapses into the same non-trivial regular embedding of Px,y- 
Non-composability of such a regular embedding then implies non-composability of embedding \ip) of 
Px,y- The protocol composability questions can therefore be reduced to investigating composability of 
regular embeddings. 

In the following, we formalize the weakness of non-composability inherent to any two-party quan- 
tum protocol, preventing us from building strong cryptographic primitives even from non-trivial weak 
ones. This is in a sharp contrast with quantum key distribution - a three-party game that can be shown 
to be universally composable [BHL+05]. 

Composability of quantum protocols has been studied by Ben-Or and Mayers [BM02,BM04] and 
by Unruh [Unr04]. The former approach is an extension of Canetti's framework [CanOl] to the quantum 
case while the latter is an extension of Backes, Pfitzmann, and Waidner [BPW04]. We are going to 
consider a weaker version of composability called weak composability and show that almost no quantum 
protocol satisfies it. Informally, we call a quantum two-party protocol weakly self-composable if any 
adversarial strategy acting, possibly coherently, upon n independent copies of the protocol is equivalent 
to a strategy which acts individually upon each copy of the protocol. 

4 Ideal Functionalities 

In order to guarantee composability, the functionality of a quantum protocol should be modeled by some 
classical ideal functionality. An ideal functionality is a classical description of what the protocol achieves 
independently of the environment in which it is executed. If a protocol does not admit such a description 
then it can clearly not be used in any environment while keeping its functionality, and such a protocol 
would not compose securely in all applications. 

In the following, let Ha and Hb denote Alice's and Bob's quantum systems, respectively, and let X 
and y denote the set of classical outcomes of Alice's and Bob's final measurements. 

Intuitively, a pure state \ip) 6 Ha <8> Hb implements the ideal functionality ID^, if whatever the 
adversary does on his/her part of |Y>), there exists a classical input to ID^ for the adversary that produces 
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the same view. The ideal functionality ID,/, accepts inputs for Alice and for Bob in [0..1], where the 
elements of [0..1] encode all possible strategies for both parties. When a party inputs to ID,/,, the 
outcome of measuring this party's part of \tp) in the computational basis, encoded by a number in [0..1] 
is returned to the party. This corresponds to the honest behavior. When m € [0..1] is input to ID,/,, a 
measurement depending upon m is applied to register Ha (resp. Hb) of \ip) and the classical outcome 
is returned to Alice (resp. Bob). Such a measurement acts only locally on the specified system. Clearly, 
for ID,/, to be of any cryptographic value, the set of possible strategies should be small, otherwise it 
would be very difficult to characterize exactly what I D,/, achieves. As we are going to show next, even if 
\ip) implements such an ID,/, where [0..1] is used to encode all possible POVMs in Ha and Hb then all 
adversarial strategies against \^))® n cannot be modeled by calls to n copies of ID,/,. 

We write \ D^(m, 0) = (w, z) for the ideal functionality corresponding to pure state E Ha®Hb 
with honest Bob and dishonest Alice using strategy m € (0..1]. The output w is provided to Alice and 
z € [0..1] encoding an event in y to Bob. Similarly, we write ID^,(0, m) = (z, w) when Alice is honest 
and Bob is dishonest and is using strategy m G (0..1]. Notice that an ideal functionality for state \tp) is 
easy to implement by letting ID,/, simulate Alice's and Bob's strategies through a classical interface. 

In general, ID,/, returns one party's output as soon as its strategy has been specified. The ideal func- 
tionality never waits for both parties before returning the outcomes. This models the fact that shared pure 
states never signal from one party to the other. The ideal functionality I D,/, can be queried by one party 
more than once with different strategies. The ideal functionality keeps track of the residual state after 
one strategy is applied. If a new strategy is applied then it is applied to the residual state. This feature 
captures the fact that the first measurement can be applied before knowing how to refine it, which may 
happen when Alice and Bob are involved in an interactive protocol using only classical communication 
from shared state \tp). Dishonest Alice may measure partially her part of \ip) before announcing the out- 
come to Bob. Bob could then send information to Alice allowing her to refine her measurement of |V>) 
dependently of what she received from him. This procedure can be simulated using I Dy, after specifying 
a partial POVM for Alice's first measurement among the set of POVMs encoded by the elements of 
[0..1]. Then, Alice refines her first measurement by specifying a new POVM represented by an element 
of [0..1] to the ideal functionality ID,/,. 

5 Simulation 

A pure state \ip) € Ha ®Hb implements the ideal functionality IDy, if any attack implemented via 
POVM M. by adversary Alice (resp. adversary Bob) can be simulated by calling the ideal functionality 
with some m £ [0..1]. The attack in the simulated world calls ID,/, only once as it is in the real case. The 
ideal functionality I D,/, therefore refuses to answer more than one query per party. Remember also that 
ID,/, returns the outcome to one party as soon as the party's strategy is specified irrespectively of whether 
the other party has specified its own. 

First, let us show on an example what do we mean by simulation of an attack using the calls to the 
ideal functionality. 

Example 5.1. Consider that Alice and Bob are sharing = -^(|00) + |11)) which is an embedding 
of the joint probability distribution Px,y with Px,y(0, 0) = Px,y(l,l) = 1/2. Alice's and Bob's 
honest measurement happen to be in the Schmidt basis. We can define the ideal functionality ID EPR as 
follows: 

ID EPR (0,0) = (x,x) withprob. \. 
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Since both players are measuring in the Schmidt basis, it follows that ID EPR models any adversarial 
behavior. ID EPR is an ideal functionality for even in a context where it is a part of a larger system. 
However, \& + ) is a trivial embedding! 

Notice that any strategy against \yp + )® m can be simulated by appropriate calls to m copies of ID EPR . 
In other words, |V> + ) is self-composable in a weak sense. In the following section we show that in fact, 
all weakly self-composable regular embeddings of joint probability distributions are trivial. 

6 Self-Composability of Embeddings 

We define the classical weak self-composability of a regular embedding \ip) G Ha <8> of a joint 
probability distribution Px,y as its ability to be composed with itself without allowing the adversary to 
get information about X resp. Y that is not available through calls to independent copies of ID^. 

Definition 6.1. Embedding of Px,y is weakly self-composable if there exists an ideal functionality 
ID,/, such that all attacks against \i[))® m for any m > can be simulated by appropriate calls to m ideal 
functionalities IDy,. 

Next, we show that only (not necessarily all) trivial regular embeddings can be weakly self-composed. 
The idea behind this result is the definition of a protocol computing a function, between Alice and Bob 
sharing |^)® m such that Bob can make the expected value of the function strictly larger provided he has 
the capabilities to measure his part of \%l))® m coherently rather than individually. Only individual mea- 
surements can be performed by Bob if ID<^ is modelling the behavior of in any situation. Consider 
that Alice and Bob are sharing a non-trivial regular embedding of Px,y that can be written as: 

iv) = Yl VPHx)\x) A m B . CD 

xex 

We show in Lemma 6.2 that \ip) being non-trivial (i.e. S(X \ Y\ps) > ) implies existence of 
xq / x\ G X such that 

0< IWUVOI 2 < !■ (2) 

Protocol 1 challenges Bob to identify in some sense the state of two positions chosen uniformly and at 
random among the following possibilities: 

{ I i>x ) | i/ixo ) , l^xo ) I ) , I Vxi ) I fpxo ) , l^xi ) I Vxi ) }• We will show that Bob, restricted to interact with 
his subsystem through the ideal functionality ID^, cannot make the expected value of a certain function 
as large as when it is allowed to interact unconditionally (i.e. coherently ) with his subsystem. We now 
prove that such xq,x\ G X exist for any non-trivial regular embedding. 

Lemma 6.2. If\ip)£ Ha 0TCb is a non-trivial regular embedding of Px,Y then there exist xo, x\ G X 
such that l^xo) an d IV'xi) satisfy 

o< K^xohMI < i- 

Proof. Let us write as, 

|V) = £ ^PxJx~)\x) A \^ x ) B . (3) 
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Let ■ ■ ■ Q {\ipx)}x£X be the set of different states \ip x ) available to Bob when Alice 

measures X. Equation (3) can be re-written as, 



£ 



\ 



®w>. 



(4) 



for some 6{x) G [0...2n). 

If {|^)}j = i are mutually orthogonal then if Bob measures in this basis no uncertainty about X \ Y 
is left contradicting the fact that S(X \Y\p B ) > 0. 



In Protocol 1 Alice asks Bob to compare the two pure states on his side. In the next section we define 
a game related to the state comparison problem and show that there is a coherent strategy which in this 
game can succeed strictly better than any separable one, and therefore also LOCC strategy on Bob's 
registers. 



challenge: 

1. Let p '.= and let Alice and Bob both know xo, x\ £ X such that < | (ip xo \tpx 1 } \ ~ t < 1 is satisfied. 

2. Alice gets X m = X\ , . . . , X m by measuring her part in all m copies of \ip) in the computational basis. She identifies 
4 positions l<i^i',j^j'<m such that Xi = X ; / = xo and Xj = Xy = xi. If such four positions do not 
exist then Alice announces to Bob that p — and aborts. 

3. Alice picks (h,h') 6 {i, i' ,j, j'} with h ^ h' such that (Xh, X h i) = (a,/3) with probability 1/4 for any choice of 
a, /3 £ {xo, xi} and announces (h, h!) to Bob. 

4. Bob sends b € {0, 1, ?} to Alice, guessing whether the pair of pure states on the positions h, h! is one of Ao : = 
{\i>x )\ipx ), 1^*1)1^*1)}, Ai := {1^0)1^1). \i>xi)\i>x )}< or responds by "don't know". 

5. Alice sets the payoff value p:p:— — c if Bob responded incorrectly, p := if he answered "don't know", and p := 1 
if he answered the challenge correctly. 

Fig. 1. A state comparison challenge to Bob. 



7 State-Comparison Game with a Separably Inapproximable Coherent Strategy 

Consider the challenge from Protocol 1. In the game defined by this protocol, Alice lets Bob compare 
two states defined by a non-trivial regular embedding of a given primitive, which are either identical or 
different, but not orthogonal. Bob is allowed to response inconclusively however, for such an answer 
he obtains points. On the other hand, if his guess is right, he obtains 1 point and if it is wrong, 
he obtains — c points for some positive number c which we determine later. We call his score payoff. 
With respect to the game defined by Protocol 1, let the maximal achievable expected payoff over the 
set of all measurement strategies be denoted by p max . In this section we show that there exists c such 
that the maximal average payoff p max can be only achieved with a strategy coherent on the registers 
corresponding to the two factors of Bob's product state. Furthermore, we show that for such a c there 
is a constant gap between the maximal payoff achievable with a separable strategy and p max - Separable 
measurements on a quantum system consisting of two subsystems are such that any of their elements M 
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is in the form M = J2i j ^i® Fj > where Ff , Fj are the operators acting on the respective subsystems of 
the given system. According to [BDF+99], separable measurements form a strict superset of all LOCC 
measurements. 

It is shown in [KKB05] that for < r < 1, the optimal no-error measurement is always coherent. 
Furthermore, they prove that the highest success rate achievable by a separable unambiguous measure- 
ment is (1 — r) 2 whereas the optimal measurement has a success rate (1 — r). 

Fix the value of < r < 1. For c sufficiently large the best coherent strategy is to apply the best 
unambiguous measurement with the correct-answer rate 1 — r, and to output don 't know for an uncertain 
result. Therefore, for some c we have p mSLX = 1 — r. Let p s denote the supremum of average payoffs in 
the game from Protocol 1 achievable by separable strategies. 

Theorem 7.1. In the game from Protocol 1 there exists c > such that p s < p max — /(r), where 
/(t) > whenever < r < 1. 

Before proving the actual theorem, we introduce a useful lemma. 

Lemma 7.2. Let \<po), \<pi) £ Ti be pure states such that | (yo I Vi) I = T - For a discrimination strategy 
S with three possible outcomes 0, 1, and "don't know", let q c denote the probability of a conclusive 
answer and q crr the probability of a wrong answer. Then, 

Qc < 2qWr + 1-T + 2^ q crr (l - t). 

Proof. According to Lemma 2.2, 



Qcrr > ^ [Qc ~ V<£~ (Qc - (1 - COS 6)) 2 j . 

Equivalently, we get: 

Vic - (Qc ~ (1 - cos6l)) 2 > q c - 2q crr . 
By squaring both sides of the inequality we obtain: 

2q c (l - cos 9) - (1 - cos Of >q 2 c + 4g 2 rr - 4q c q erT 
Qc ~ ?c(4fer + 2(1 - r)) + (1 - r) 2 + 2q 2 c „ < 0. (5) 

By solving the quadratic equation 

Q 2 C ~ <Zc(4</err + 2(1 - r)) + (1 - r) 2 + 2^ = , 

we get the solutions 2q err + 1 — r ± 2y/q cri (l — r), implying the solutions of (5) to be 

q c < 2q crr + 1 - r + 2y/q eiI (l - r). 

Proof ( Theorem7.1). The method we use is the following: For given parameters r, c G K such that 
< r < 1 and c > 0, and an additional parameter k > 0, we divide the set of all separable measurements 
into three subsets according to the probability q CIT of Bob's incorrect (conclusive) answer in the state- 
comparison, expressed as a function of c, k, and r. We construct an upper bound on p s in each of the 
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three sets separately and dependently on c, k, and r. Finally, we find the conditions for c and k such that 
in all three sets we get p s < p max — /(t) for some /(r) > 0. 

[KKB05] shows that the best separable unambiguous strategy for solving the 2-out-of-2 state com- 
parison problem is applying the best unambiguous measurements on each part of Bob's register inde- 
pendently. Lemma A.2 (see Appendix A) says that the payoff achieved by such a strategy in the case 
where probability q CIT is small, is close to the optimal payoff. The analysis of such a situation is captured 
in the first of the three cases, where we consider the separable measurements with q err < 2 k(l+i) ■ 

1- (fcr < 2fc(c+i) ) Lemma A.2 shows that to any separable measurement M = (Eq, E\,Et) with 
probability of error q cir < 2 { c +i)k an ^ tne expected payoff p, there exists a separable measurement 
M' = (E' , E[, E' ? ) with the expected payoff p', satisfying p < p' + \ + 0(l/y/c), such that its 
elements can be written in the form: 

E , = G%®Gl + G%®G\, E' 1 = G%®G\ + G%®Gl E' ? = 1 - E' - E[, 

where the upper index of Ga refers to the subsystem and the lower index determines the guess of the 
state of the corresponding subsystem. 

The upper bound on the value of p' which we compute next, can then be used to upper bound p. 
Consider an extended problem where Bob is supposed to identify each factor of his product state (in 
contrast to just comparing the factors in the game). Let q® rr , ql rr , and q®, q\ denote the probabilities of 
Bob's incorrect resp. conclusive answers in each of his subsystems. Then the probability of comparing 
the states incorrectly can be expressed as follows: 

<?err = Qerrilc ~ Qerr) + QerriQc ~ Qerr) = QcQerr + 9c9err — ^QerrQerr ■ 

For separable strategies for which q\ < 1 — r — 2/kor q® < 1 — r — 2/ k, we obtain p' < 1 — t — 2/k 
and hence, p < 1 — r — 1/k + 0(1/ \fc) due to Lemma A.2. For c sufficiently large we then get: 

Pmax-P>7^;- (6) 

Next, we discuss the case (not disjoint with the previous one) where both q®,ql > 1 — t — 1/k =: j, 
which implies that 

<?err > 7(?err + llrr) ~ 2 <?err4err- (7) 

For upper bounding the probability q® of a conclusive answer of the measurement Ai' we use Lemma 7.2 
(an analogous formula holds for q].)\ 



q° c < 2q° crr + 1 - r + 2V<&r(l 1 r). 
The probability of correct state-identification in the first of Bob's subsystems then satisfies: 



q° c ~ q° eri < q° CTT + 1 - r + 2^(1 - r). (8) 
Inequalities (7) and (8) give us an upper bound on p' for c > 9: 

P' < -Cq CII + QcrrQlrr 

+ (q° CTT + 1-T + 2 v /gO rr (l-r))((7 c 1 rr + 1 - r + 2^9^(1 - r)) 
< -cq crr + (1 - r) 2 + 2( + V^) + 



lerr 



<(i-ry + ^^<(i-ry+ 

V 2 7fc(c + 1) 
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hence by Lemma A.2, p < (1 — r) 2 + = = + | + Ofl/^/c). For c sufficiently large we get: 

P<(l-r) 2 + ^. (9) 

2. Second, we assume that 2 k(c+i) < 1 err — 256(1— r) • ^° u PP er bound the probability of comparing 
the states correctly, we use the same argument as in (8) and get that: 



Qc ~ Qcrr < Qcrr + 1-T + 2y / g crr (l - t), 

where q c denotes the probability of a conclusive outcome. This inequality implies the upper bound on p: 

c- 1 1 



P < -Cq e rr + (<?c ~ 9err) < ~~^~[ ' ^ + 1 ~ T + 2 \Acrr(l ~ r), 



yielding that for c sufficiently large, 



P< -— + l-r + 2 v / (?crr (l-r). (10) 

Consequently, we have three upper bounds on the value of p, given by (6), (9), and (10): Bq := 1— r— 
Si := (1 - r) 2 + |, and : = 1 - r + 2y/q CTT (l - r) - ^. Since S 2 > S , we only have to find /(r) 
and /c such that Bi,E>2 < (1 — r) — /(r), or equivalently: 

2/(r) + 4 v ^-(r^)<l< T < 1 - T >-^' 

|/M < T -^ 1 - 4Vfc,(l - r). 



10 ■ Thus, there exists c > such that in any separable strategy with the probability of error q c „ < 



It is easy to verify that for d < 256(1-7-) ' tne two inequalities are satisfied for k := 9r ^ 20 _ T - ) and /(t) := 
r ^ 1 10 r - > . Thus, there exists c > sue 
256(1— r) an( * tne expected payoff p: 

r(l-r) 



P < Pn 
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3. For separable strategies with the probability of error q CTT > 2 56(i-r) » we can s i m ply se t c > 
256(1 — r) which ensures that the payoff p < 0. 

Set c to be the maximum over the values required by the discussed subcases. For such a c and any 
separable strategy, the corresponding expected payoff p satisfies p < p max — t ^\q T \ yielding that 

. r(l-r) 

Pmax Ps 
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8 Only Trivial Embeddings Can Be Composed 



As a straightforward corollary of Theorem 7.1, we now get that there exists a constant c such that 
any Bob restricted to interact with his system through the ideal functionality ID® m can never get the 
expected value of p as large and not even close as with the best coherent strategy. This remains true 
for any possible description of the ideal functionality since even if I Dy, allowed to specify an arbitrary 
POVM then the ideal functionality would not be as good as the best coherent strategy. 

Notice that any strategy Bob may use for querying the ideal functionality IDy, for both systems 
involved in order to pass the challenge with success, can also be carried by two parties restricted to local 
quantum operation and classical communication (LOCC). This is because ID^ only returns classical 
information. Local quantum operations can be performed by asking I D^, to apply a POVM to a local part 
of IV). 

We now formally prove that non-trivial regular embeddings do not compose since Bob can always 
succeed better in Protocol 1 if he could measure all his registers coherently. 

Theorem 8.1. Only trivial regular embeddings of a primitive Px,Y are weakly self- compos able. 

Proof. Let = Ylxex \/ Px{x)\x)\ip x ) be a non-trivial regular embedding of Px,y- According to 
Lemma 6.2 there exist xo,xi G X such that < \{ipx \4>x 1 )\ < 1- Theorem 7.1 then implies that 
there is c G R + such that in Protocol 1 played with \ip Xo ) and \ip X i) satisfying the condition above, the 
expected payoff achievable by the best coherent strategy is strictly better than what can be achieved by 
separable i.e. also LOCC strategies. By definition of weak self-composability it means that non-trivial 
regular embedding of Px,y is not weakly self-composable. 

Corollary 8.2. Only trivial (correct) two-party quantum protocols are weakly self-composable. 

Proof. The statement follows from the fact that any quantum honest-but-curious attack of an embedding 
can be modeled by an attack of the corresponding two-party protocol. Lemma 2.5 shows that for any 
party there is a measurement converting a regular embedding G HabA'B' of a primitive Px,y into 
an embedding \ip^) of Px,y for some k € {1, . . . , K }. The other party can also learn the index k by 
measuring his/her additional register. Non-composability of non-trivial quantum two-party protocols for 
Px,y then follows from non-composability of non-trivial regular embeddings of Px,y by including a 
pre-stage into the game from Protocol 1. In this stage, Alice and Bob convert each of the many embed- 
dings of Px,y corresponding to the protocol copies into a regular embedding of Px,y known to both 
parties. This conversion results into a non-trivial regular embedding of Px,y with constant probability. 
This is because if all regular embeddings in the conversion-range were trivial, then the measurement 
converting the embedding into regular embeddings could be used as a part of a measurement revealing 
X \ Y completely to Bob, or revealing Y \ X completely to Alice. Hence, such an embedding and 
the corresponding protocol would then be trivial. Due to the law of large numbers, from several copies 
of an embedding Alice obtains at least some constant fraction of the same non-trivial regular embed- 
dings except of probability negligible in the number of copies. Alice and Bob then play the game from 
Protocol 1, using the subset of copies where Alice obtained the same non-trivial regular embedding. 

Finally, let us mention several facts related particularly to (non-)composability of trivial two-party 
quantum protocols implementing trivial primitives. Clearly, every trivial primitive has a protocol which 
is composable against quantum honest-but-curious adversaries, namely the classical one implementing 
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the primitive securely in the HBC model. Formally, for a trivial Px,y we show composability of quantum 
protocols implementing only Px\y,y\x (which corresponds to secure implementation in the HBC 
model) instead of Px,Y, wnere the desired distribution Px,y is obtained from the implementation of 
Px\y,y\x by local randomization. Since a trivial primitive satisfies H(X \ Y\Y \ X) = H(Y \ 
X\X \ Y) = or in other words, the implemented dependent parts are accessible to both parties 
already in one protocol copy, coherent attacks do not help in getting any more information. Because 
the rest of X and Y is computed purely locally, there is no attack, individual or coherent, revealing any 
information about the result of this operation. 

On the other hand, not all protocols for trivial primitives are composable. As an example let us take a 
protocol for a primitive P x ,y defined by P x ,y(0, 0) = Px,y(1, 0) = 3/8, P x ,y(0, 1) = Px,y{1, 1) = 
1/8, represented by the following regular embedding: 

w = ; L|o )8 (f|o) + i|i)) + -L|i) 8 (f|o)-I|i)). 

Such an embedding (and therefore, the corresponding protocol) is trivial because it implements a trivial 
primitive. Formally, = H{X \ Y\Y) and H(X \ Y\Y) > S(X \ Y\B) imply that S(X \ 
Y\B) = 0. On the other hand, the states 

hfo>:=^|0> + ^|l>, hh>:=^|0>-^|l> 

that Bob gets for Alice's respective outcomes and 1 of the measurement in the canonical basis, satisfy 
the condition < ((V'olV'i)l < 1 fr° m Protocol 1. Hence, the arguments from the proof of Theorem 7.1 
apply, yielding that cannot be composed. 



References 

[BB84] Charles H. Bennett and Gilles Brassard. Quantum cryptography: Public key distribution and coin tossing. In 
Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, pages 175-179, 
1984. 

[BDF+99] Charles H. Bennett, David P. DiVincenzo, Christopher A. Fuchs, Tal Mor, Eric Rains, Peter W. Shor, John A. 

Smolin, and William K. Wootters. Quantum nonlocality without entanglement. Physical Review A, 59(2): 1070- 
1091, February 1999. 

[BHL + 05] Michael Ben-Or, Michal Horodecki, Debbie W. Leung, Dominic Mayers, and Jonathan Oppenheim. The universal 
composable security of quantum key distribution. In Theory of Cryptography Conference (TCC) [TCC05], pages 
386-406. 

[BLM + 05] Jonathan Barrett, Noah Linden, Serge Massar, Stefan Pironio, Sandu Popescu, and David Roberts. Nonlocal 
correlations as an information-theoretic resource. Physical Review A, 71:022101, 2005. 

[BM02] Michael Ben-Or and Dominic Mayers. Quantum universal composability, November 2002. Pre- 
sentation at "Quantum Information and Cryptography" Workshop, slides online available at 
http://www.msri.Org/publications/ln/msri/2002/quantumcrypto/mayers/l/meta/aux/mayers.pdf. 

[BM04] Michael Ben-Or and Dominic Mayers. General security definition and composability for quantum and classical 
protocols, September 2004. http://arxive.org/abs/quant-ph/0409062. 

[BPW04] Michael Backes, Birgit Pfitzmann, and Michael Waidner. Secure asynchronous reactive systems. Cryptology ePrint 
Archive, March 2004. Online available at http://eprint.iacr.org/2004/082.ps. 

[CanOl] Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In 42nd Annual IEEE 
Symposium on Foundations of Computer Science (FOCS), pages 136-145, 2001. 



14 



[CB98] Anthony Chefles and Stephen M. Barnett. Quantum state separation, unambiguous discrimination, and exact 
cloning. J. Phys. A, 31(50):10097-10103, 1998. http://front.math.ucdavis.edu/9808.4018. 

[Die88] Dennis Dieks. Overlap and distinguishability of quantum states. Physical Letters A, 126:303-307, 1988. 

[FWW04] Matthias Fitzi, Stefan Wolf, and Jiirg Wullschleger. Pseudo-signatures, broadcast, and multi-party computation 
from correlated randomness. In Advances in Cryptology — CRYPTO '04, volume 3152 of Lecture Notes in Com- 
puter Science, pages 562-579. Springer, 2004. 

[Hel76] Carl W. Helstrom. Quantum detection and estimation theory. Academic Press, New York, 1976. 

[IMNW04] Hideki Imai, Jorn Miiller-Quade, Anderson Nascimento, and Andreas Winter. Rates for bit commitment and coin 
tossing from noisy correlation. In Proceedings of 2004 IEEE International Symposium on Information Theory, 
pages 47^17, June 2004. 

[Iva87] I. D. Ivanovic. How to differentiate between non-orthogonal states. Physical Letters A, 123:257-259, 1987. 

[Kit03] A. Kitaev. Quantum coin-flipping. presented at QIP'03. A review of this technique can be found in 
http://lightlike.com/ carlosm/publ, 2003. 

[KKB05] Matthias Kleinmann, Hermann Kampermann, and Dagmar Bruss. On the generalization of quantum state compar- 
ison. Phys. Rev. A, 72(032308), 2005. http://arxiv.org/abs/quant-ph/0503012. 

[LC97] Hoi-Kwong Lo and H. F. Chau. Is quantum bit commitment really possible? In Physical Review Letters [PRL97], 
pages 3410-3413. 

[Lo97] Hoi-Kwong Lo. Insecurity of quantum secure computations. Physical Review A, 56(2): 1 154-1 162, 1997. 
[May97] Dominic Mayers. Unconditionally secure quantum bit commitment is impossible. In Physical Review Letters 
[PRL97], pages 3414-3417. 

[NC00] Michael A. Nielsen and Isaac L. Chuang. Quantum Computation and Quantum Information. Cambridge university 
press, 2000. 

[Per88] How to differentiate between non-orthogonal states. Physical Letters A, 128:19, 1988. 

[PR94] Sandu Popescu and Daniel Rohrlich. Quantum nonlocality as an axiom. Foundations of Physics, 24(3): 379-3 85, 
1994. 

[PRL97] Physical Review Letters, volume 78, April 1997. 

[RK05] Renato Renner and Robert Konig. Universally composable privacy amplification against quantum adversaries. In 

Theory of Cryptography Conference (TCC) [TCC05], pages 407^-25. 
[SSS09] Louis Salvail, Miroslava Sotakova, and Christian Schaffner. On the power of two-party quantum cryptography. 

http://arxiv.org/abs/0902.4036, 2009. 
[TCC05] Theory of Cryptography Conference (TCC), volume 3378 of Lecture Notes in Computer Science. Springer, 2005. 
[Unr04] Dominique Unruh. Simulatable security for quantum protocols, http://arxiv.org/abs/quant-ph/0409125, 2004. 
[Wie83] Stephen Wiesner. Conjugate coding. SIG ACT News, 15(l):78-88, 1983. Original manuscript written circa 1970. 
[WW04] Stefan Wolf and Jiirg Wullschleger. Zero-error information and applications in cryptography. In IEEE Information 

Theory Workshop (ITW), San Antonio, Texas, October 2004. 
[WW05a] Stefan Wolf and Jiirg Wullschleger. New monotones and lower bounds in unconditional two-party computation. 

In Advances in Cryptology — CRYPTO '05, volume 3621 of Lecture Notes in Computer Science, pages 467^-77. 

Springer, 2005. 

[WW05b] Stefan Wolf and Jiirg Wullschleger. Oblivious transfer and quantum non-locality. In International Symposium on 
Information Theory (ISIT2005), pages 1745-1748, 2005. 

A Lemma A.2 from the proof of Theorem 7.1 

Before starting with the actual Lemma A.2, we formulate and prove an auxiliary lemma, needed for 
the main proof. In the following, ||T||oo denotes the norm of an operator T G C nxn , which equals the 
operator's largest singular value. 

Lemma A.l. Let f : R + — ► C 2x2 be a function mapping c positive into a positive-semidefinite operator 
F c G C 2x2 such that ||-F c ||oo = 1 and for some unit vector \vq) G C 2 , (vq\F c \vo) G 0(1/c). Then the 
dominant eigenvector of F c is of the form 7g|fo) + 7il^i), where (vq\vi) = 0, |7q| 2 + \^\ 2 = 1, and 
|7o| 2 G 0(1/ c). Furthermore, the second largest eigenvalue X c of F c satisfies A c G 0(l/c). 
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Proof. Let us write F c in the form: F c = M.\M C , for a matrix M c G C 2x2 . This is possible due to 
the fact that F c is positive-semidefinite. We define \uq) : = M c \vq) and \ui) : = M c \v\). According 
to the assumption, (uq\uo} G 0(1/ c). Let us write the (unit) dominant eigenvector of F c in the basis 

{bo), \vi)} as: 

H = 7oK) + 7ih>i)- 

It follows that 

1 = (w\F c \w) = \^\ 2 (u \u ) + |7f| 2 (ui|ui) + 2Re(^ri(u \ Ul )). 

Assume that there exists an unbounded increasing sequence of positive numbers such that for its 
elements c, we get \j±\ 2 = 1 - 0(l/c 5 ) for 1/2 < 5 < 1. From (uo\uo) G 0(l/c) we get that 
|7o7i(«oK}| G ©(l/c" 5 ) and |<«oK>| G 0(1/Vc), yielding that 

| 7o c | G ^(l/c^ 1 / 2 ). 

Since is a unit vector, for some fc positive, we get 

1 = l7l1 2 + l7o C | 2 > 1 " £ + l7of, 
and thus, |7q| 2 G 0(1/c 5 ). From the two conditions we conclude that 

|7 c l 2 G^(i/c 25 - 1 )nO(i/c 5 ), 

yielding that 5 = 1, since the intersection of the two sets has to be non-empty. Therefore, the function / 
satisfies 

I To 1 2 G 0(1/ c) (11) 

on the entire domain. 

Now we upper bound the second largest eigenvalue of F c . Since the second eigenvector \w L ) of F c 
is orthogonal to its dominant eigenvector, it can be written in the form: 



w ) = 7iK) +7ol«i). 
where |7^| = \^\ and |7o| = |7q|. We get that 



A c = ( w A 



F r 



tc - ) = \^\ 2 (u \u } + |7ol 2 <>iM + 2Re(^^<i*o|tii)). 
From the assumption (uo\uq) G 0(1/c) and (11) we conclude that 

A c G 0(l/c). 

Lemma A. 2. Le? c, fc > 0. Consider the game from Prot. 1 and let X and Y denote the respective 
registers of Bob, corresponding to Alice's choices ofh and h'. To any strategy based on the outcomes of 
a separable measurement M, = (Eq, E\,E?) on 7ix ®Wy with probability of error q crr < 2 ( c +i)k aru ^ 
the expected payoff p, there exists a strategy using a separable measurement M! = (E' , E[,E!?) in the 
form: 

E? = G%®Gl + G%®G{, E[ = Gl®G\ + G\®Gl, E' ? = 1 - E' - E[ 
with the expected payoff p', satisfying: 

\ p - p '\e l + o(l/Vc). 
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Proof. For simplicity of the notation, let us define |V>o) : = IV'xo) an(1 IV'i) := IV'xi). where IV'xo) afl d 
\tpxi) come from Prot. 1. 

Every element of a separable measurement on Hx <8> Hy can be written as a sum of tensor products 
of positive semi-definite operators. In particular, the elements of M can be written in the form: 

E b(x,y) := ^2 F b(x,y),x ® F b(x,y),y 
x,y 

Operators F®, y \ x ® F b \ x y \ y can be viewed as the elements of a new measurement M, refining M. . 
Since the states |?/>o) and span a 2-dimensional Hilbert space, all operators x and can 
be restricted to correspond to 2 x 2 matrices in some basis of this space. 

The function b : (x, y) — > {0, 1, ?} is a post-processing function of the outcomes of N, determining 
the outcome of M (0 corresponds to the states being equal, 1 to them being different, and ? denotes 
an inconclusive answer). Let A denote the sets of all pairs (x, y) of outcomes of J\f. To every pair 
(x, y) € A we assign (q x , q y ) £ [0, 1/2] 2 - the probabilities of error in guessing the factor states of Hx 
and Hy, conditioned on measuring x and y, respectively. Let Wq and W\ denote the random variables 
assigned to the states of Hx and Hy, respectively. The probability space of both Wq and W\ is {0, 1}, 
since the state of either of the subsystems is |-0o) or l^i)- F° r C £ {0, 1}, let x —> (, y —> ( stand for 
Pr[Wo = 1 — £\x], Pr[Wi = 1 — Qy] < 2 (c+i) ' res P ec tively, where the probabilities are conditioned on 
the outcomes of N in the respective subsystems. Consider measurement M* := (Eq, Ef, E*) with the 
same refined set of outputs A as M (which now will be indexed differently) in the following form: 



771* 771* | T7'* 771* 771* i 771* 77* TT 771* 771* 

-^0—^0,0 + ^1,1' ^1 — -^0,1 + -^1,0) ^? — 1 - &o - 1 

where 

x^ct,y^f3 

We show that the difference of the expected payoff p of M and the expected payoff p* of M* satisfies: 

\P-P*\<\- (13) 

Since the refined sets of possible outcomes of both M* and M are the same, the two measurements 
only differ in the post-processing functions denoted by b and b* , respectively. In other words, M* differs 
from M. in the arrangement of the same set of summands in the three sums defining measurement 
elements (Eo,Ei,E?) and (Eq,E\,E*). 

Consider any strategy which upon measuring (x, y) yields a conclusive answer. For the correspond- 
ing expected payoff p x ^ y conditioned on measuring (x, y) we then get: 

p x , y = (1 - q° x )(l - ql) + qWy ~ c(q°(l - q]) + (1 - 

= l-(c + l)(q x +ql-2q° x q l y ). (14) 

If on the other hand, measuring (x, y) implies the answer of M. to be inconclusive, the expected 
payoff conditioned on measuring (x, y) will be 0. Consequently, the optimal post-processing strategy 
(with the maximum payoff) should output b(x, y) =? for every (x, y) satisfying q x + q y — 2q x q y > -ttj, 



17 



otherwise it outputs a conclusive answer. In particular, the output should be inconclusive for all pairs 
(x, y) such that q° > ^ or q y > and conclusive if both q®, q^ < 2 ( c +i) - 

However, only the knowledge that (q x , q y ) G [0, ^j] 2 \ [0, 2 ( c +i) ] 2 ^ oes not allow us to determine 
what is the best output in order to maximize the payoff. We analyze this problem with respect to the 
probability of error allowed for the post-processing function. 

We assume that the answer of M with the post-processing function b can be false with probability 
at most c/err < 2fc(c+i) • According to Markov's inequality, measuring (x, y) such that either q x > kq eiI 
or q^ > kq erT does not allow to output a conclusive answer with probability larger than 1/k. Thus, for 
either q® > 2 ( c +i) or Qy > 2(c+i) ' tne answer cannot be conclusive with probability larger than 1/k. 
In the latter we analyze the difference of the expected payoffs for the post-processing function b and 
for a newly defined b* such that for any (x, y) satisfying q x > 2 ( c +i) or 4y > 2 (c+i) ' tne out P ut I s 
b*(x,y) =?. 

Consider every pair (x, y) such that by modifying b(x, y) into 6*(x, y), p XtV decreases and compute 
the difference of p XjV and p* y in this case. We have that either q x G ( 2 ( c +i) > 3^1] or <7y e ( 2(0+1) > cTi]' 
yielding that 

= 1 " (C + 1)( 9 2 + ?i " 2<lWy) < \ 

It means that for every pair (x, y) for which the value of the post-processing function was modified, p X:V 
decreased by at most 1 /2. However, since the answer of Ai is false with probability at most q eYT , the 
functions b and b* cannot differ anywhere except for a set of (x, y) measured with probability at most 
1/k, concerning that q CII < 2 k(l+i) • This gi yes us 

\P-P*\<1- (15) 

We have shown that a separable measurement M can be approximated by a separable measurement 
M* in the special form. In the following we show that M* can be approximated by a measurement in 
the form from the statement up to a difference in payoffs which is in 0(l/y/c). The statement of the 
lemma then follows from the triangle inequality. 

Our next goal is to construct a measurement M 1 = (E' , E'^E'^) in the form: 

4 = G8 ®G5o + G? 1 (g)Gi 1 , ^i=G° 1 ®Gj 1 + G? ®G} , E' ? = I - E' - E[, 

approximating the measurement M. * with respect to the expected payoff. In the definition of the elements 
of M! , the upper index of G^ ab specifies the subsystem, the first bit of the lower index determines the 
outcome in the first subsystem, and the second bit of the lower index determines the outcome in the 
second subsystem. 

F° 

Consider the previously constructed measurement M* . Fix a, (3 € {0, 1} and define F x := 



MX 
pi 

Fy := u F i' v u , Hx,y '■= \\^a,x\\oo ■ \\Ep y ||oo- First, we construct positive-semidefinite operators G° a ^ < 



G a,/3' approximating 

(defined by (12)), where the guesses of a and [5 conditioned on measuring F x and Fy are incorrect with 
probability at most 2 (c+i) • ^ e require these operators to satisfy: 
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1. pe* = Pr<o .where p e* andp,=, denote the expected payoffs conditioned on mea- 

suring E* a p and G° a p ® G l a /3 , respectively. 

2. ForallCo,'Ci,a,/?G{0,l} \ 

(V'Co^Cll ( 5'a,/3 ( »G'a,/3l^Co ) V'Ci) ~ (V'Co ' V'Cl \K,p\ V>Co > V'Cl ) G 0(1/ y/c), 

3- IIE«^^®^lloo€l + 0(l/c). 

We now describe the construction of operators ^ and /3 . The respective dominant eigenvectors 



of F° and Fy can be written as 



K> = To.xlV'l-a) + 7l,x Vta); 

H) = 7o )W V^-A 



where for each £ € {0, 1}, \ip^) denotes the unit vector spanned by |^o) and \ipi), orthogonal to |^). 
According to Lemma A.l, there exists k positive such that for each x and y, |7q x | 2 < f and | To,y 1 2 — f • 
We define operators G° a ^ and G\ ^ by 



G% ■= (l- ^) ■ /E^I^-^X^I +^0(c)|V'l-aXV'l-a|, 



for non-negative functions vq, v\ E 0(1/c) chosen to be such that 



Pe* 



a,p a.i 



Such a choice of parameters is possible, due to the fact the the probability of a wrong guess, conditioned 
on the outcome E* a ^ is in 0(1/ c). Since operators {E* a p} a ,f3 f° rm a valid POVM, after projecting them 
by a projector P := \ipi^ a )(ipi- a \ <8> \^_p)(ipi_p\, we g et a valid POVM on the support of P. In other 
words, {PE^ /3 P}a,f3 form a POVM and therefore, also the operators 



J, 



v C 



lower-bounding P-E* ^P, form valid POVMs. From the condition 

II ^ ] '-'a,/? 1 1 00 ^ 1) 
a,/3 



we conclude that 



^G^^G^IUel + Oa/c). 

a,/3 



(16) 
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It remains to show that 



VCo,Ci,«,/3 G {0,1} : (^ fo , Y>d |G°,/3 ® G^Co- Vg> " (Ao^dlK^Ao^Ci) G °(Vv^)- 



By definition of G° a and G l a /3 , this is true if Co / a or Ci / /?■ We now discuss the remaining case. 
It follows from Lemma A.l, applied to each F° ® Fy and the construction of G° a <g> G* that 



G° a ,p ® G^ 



€ 0(l/y/c). 



Hence, also 



(Vv,,^^® G^I^/j} - WaMK.pWcfy) e 0(1/ 



We have defined a set of operators {(5° ^ <£> G* ^ja,^, almost forming a POVM due to the condition 
(iii). Therefore, we can re-scale the elements of the set by a factor in 1 — 0(1/ c), and thereby create 
a POVM {G* a ® G* } a ,/3- Due to the condition (i), the expected payoffs conditioned on measuring 
either E* a or G° a G l a are the same. Finally, due to the condition (ii), the probabilities of measuring 



an outcome from {E* a } a ^ and an outcome from {G° a ® G\ } a ,f3 differ by a value in 0(l/y/c). 
Hence, if the probability of a conclusive answer of M* is constant then the measurement with elements 

EZ:=G 0fi ®G 1 0fi + G° hl ®Gl 1 , E'{ := G° 1 ® G^ + G° ® G\ fl , E" := I - E' Q - E[ 

gives a conclusive answer with probability lower by at most a value in 0(1/ \/c), and differs from M.* in 
its payoff by a value in 0(1/ \/c). According to [KKB05], the state of each of the two subsystems after 
applying the measurement given above is independent of the outcome in the other one. Therefore, in 
order to achieve certain expected payoff, the local measurements can be optimized separately. It follows 
that the payoff of measurement (Eq, E", E") can be matched by the payoff p' of some measurement 
M. 1 in the form: 

E' Q = Gl®Gl + G\®G\, = G8®G1 + GS®GJ, E' ? = I - E' - E[. 
By applying (13) and the triangle inequality, we finally get that 

\ P -p'\eO(l/k) + 0(l/^). 
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